Domain Theory for Concurrency

Mikkel Nygaard Glynn WinskelBRICS∗ Computer Laboratory

University of Aarhus University of Cambridge

Abstract

A simple domain theory for concurrency is presented. Based on a categoricalmodel of linear logic and associated comonads, it highlights the role of linear-ity in concurrent computation. Two choices of comonad yield two expressivemetalanguages for higher-order processes, both arising from canonical construc-tions in the model. Their denotational semantics are fully abstract with respectto contextual equivalence. One language derives from an exponential of linearlogic; it supports a straightforward operational semantics with simple proofsof soundness and adequacy. The other choice of comonad yields a model ofaffine-linear logic, and a process language with a tensor operation to be under-stood as a parallel composition of independent processes. The domain theorycan be generalised to presheaf models, providing a more refined treatment ofnondeterministic branching. The article concludes with a discussion of a broaderprogramme of research, towards a fully fledged domain theory for concurrency.

1 Introduction

Denotational semantics and domain theory of Scott and Strachey provide a globalmathematical setting for sequential computation, and thereby place programminglanguages in connection with each other; connect with the mathematical worlds ofalgebra, topology and logic; and inspire programming languages, type disciplinesand methods of reasoning.

In concurrent/distributed/interactive computation that global mathematical gui-dance is missing, and domain theory has had little direct influence on theories ofconcurrent computation. One reason is that classical domain theory has not scaledup to the more intricate models used there.

Broadly speaking, approaches to concurrency are either based on a specificmathematical model of processes or start from the syntax of a process calculus.Among the variety of models for concurrency, one can discern an increasing use ofcausal/independence/partial-order models (such as Petri nets and event structures)in which computation paths are partial orders of events. Independence models threadthrough partial-order model checking [45], security protocols [50], nondeterministicdataflow [17], self-timed circuits [18], term-rewriting, game semantics [3], and theanalysis of distributed algorithms [29]. There are a variety of process calculi, most of

∗Basic Research in Computer Science (www.brics.dk),funded by the Danish National Research Foundation.

1

them based on an operational semantics. Following on from the π-calculus [37, 47],new-name generation is central to almost all calculi of topical interest. Many arehigher-order (allowing process passing) which presents a challenge in understandingsuitable equivalences, of which forms of bisimulation are prevalent.

Theories of concurrency form a rather fragmented picture. Relations betweendifferent approaches are often unclear; ideas are rediscovered (for example, specialevent structures reappear as “strand spaces” in reasoning about security proto-cols [50, 16]). A lot of energy is used on local optimisations to specific process calculi,optimisations that may obscure connections and the global picture. Research is of-ten “modelling-driven” in the sense that many approaches are based on formalisingsome feature observed in the computing world; the feature may be general such aslocality of computation, or specific as in the study of a particular protocol. But thelessons learnt often remain isolated for lack of the commonality a global frameworkwould provide.

A domain theory which handled higher-order processes, independence models,name-generation, and possessed an operational interpretation would provide a globalmathematical framework for most theories of concurrency. In case incorporating in-dependence models into a domain theory seems a tall order, there are now arguments(based on event-structure representations of process denotations—see Sect. 6.4) thatthe operational semantics associated with a domain theory for concurrency will in-volve event structures. It should be remarked that a traditional use of powerdo-mains [46], based on domains of resumptions, will fall short because, insisting on anondeterministic choice of actions one at a time, it cannot accommodate indepen-dence models where computation paths have more structure than strings of actions.

How do we work towards such a domain theory for concurrency? The potentiallycomplicated structure of computation paths suggests building a domain theory di-rectly on computation paths. This line has been followed in what seemed originallyto be two different directions, one being Matthew Hennessy’s semantics for CCSwith process passing [22], in which a process denotes the set of its computationpaths. We’ll call this kind of semantics a path semantics because of its similarityto trace semantics [24]; in both cases, processes denote downwards-closed sets ofcomputation paths and the corresponding notion of process equivalence, called pathequivalence, is given by equality of such sets. Computation paths, however, may havemore structure than traditional traces, e.g. allowing path semantics to take nonde-terministic branching into account in a limited way. For example, path equivalence isrelated to simulation equivalence in Sect. 3.5 below. The other path-based approachis that of categories of presheaf models [14] in which processes denote mappingsfrom computation paths to sets of “realisers” saying how each computation pathmay be realised. This extra structure allows the incorporation of complete branch-ing information, and the corresponding notion of process equivalence is a form ofbisimulation [26]. The two approaches are variations on a common idea: that a pro-cess denotes a form of characteristic function in which the truth values are sets ofrealisers. A path set may be viewed as a special presheaf that yields at most onerealiser for each path.

2

The study of presheaf models for concurrency has drawn attention to a 2-categorical model of linear logic and associated pseudo-comonads [15]. This led tothe discovery of two expressive metalanguages for concurrency, one based on an ex-ponential of linear logic (from which one derives a model of intuitionistic logic), theother based on a weakening comonad (from which one derives a model of affine-linearlogic). The presheaf semantics led to operational semantics, guided by the idea thatderivations of transitions in the operational semantics, associated with paths, shouldcorrespond to elements of the presheaf denotations. The presheaf models capture thenondeterministic branching of processes and support notions of bisimulation. Butthere is a significant overhead in terms of the category theory needed.

In this paper we concentrate on the simpler path semantics of the languages. Pathsets give rise to a simpler version of the categorical models, avoiding the 2-categoricalstructure. Though path sets are considerably simpler than presheaves they furnishmodels which are sufficiently rich in structure to show how both languages arise fromcanonical constructions on path sets. The path semantics admits simple proofs of fullabstraction, showing that path equivalence coincides with contextual equivalence.

One language, called HOPLA for Higher-Order Process LAnguage [41, 42], de-rives from an exponential of linear logic. It can be viewed as an extension of thelambda-calculus with CCS-like nondeterministic sum and prefix operations, in whichtypes express the form of computation path of which a process is capable. HOPLAcan directly encode calculi like CCS [35], CCS with process passing [22], and mo-bile ambients with public names [10, 11], and it can be given a straightforwardoperational semantics supporting a standard bisimulation congruence. We relate thedenotational and operational semantics giving pleasingly simple proofs of sound-ness and adequacy. Full abstraction implies that contextual equivalence coincideswith logical equivalence for a fragment of Hennessy-Milner logic, linking up withsimulation equivalence [21]. Work is in progress on extending HOPLA with namegeneration [55].

The other language is here called Affine HOPLA [40] and is based on a weak-ening comonad that yields a model of affine-linear logic in the sense of Jacobs [25].This language adds to HOPLA an interesting tensor operation at the price of linear-ity constraints on the occurrences of variables. The tensor can be understood as aparallel composition of independent processes and allows Affine HOPLA to encodeprocesses of the kind found in treatments of nondeterministic dataflow [27].

We conclude with a discussion of how the results fit within a broader programmeof research, towards a fully fledged domain theory for concurrency. Important leadscome by moving to categories obtained from presheaves rather than path sets. Thesecategories are very rich in structure. They point towards more expressive languagesthan HOPLA and Affine HOPLA. In particular, the affine category accommodatesthe independence model of event structures to the extent of supporting the stan-dard event structure semantics of CCS and related languages [12], as well as thetrace of nondeterministic dataflow [23]. In fact, Affine HOPLA can be given anevent structure semantics which at first order provides a representation of the pre-sheaf denotations. Nevertheless, it is here we meet the limitations of Affine HOPLA,and HOPLA. They can be shown not to support definitions of the standard eventstructure semantics of CCS and the trace of nondeterministic dataflow [43].

3

2 Domain Theory of Path Sets

In the path semantics, processes are intuitively represented as collections of theircomputation paths. Paths are elements of preorders P, Q, . . . called path orders whichfunction as process types, each describing the set of possible paths for processesof that type together with their sub-path ordering.1 A process of type P is thenrepresented as a downwards-closed subset X ⊆ P, called a path set. Path sets orderedby inclusion form the elements of the poset P which we’ll think of as a domain ofmeanings of processes of type P.

The poset P has many interesting properties. First of all, it is a complete latticewith joins given by union. In the sense of Hennessy and Plotkin [20], P is a “nonde-terministic domain”, with joins used to interpret nondeterministic sums of processes.Accordingly, given a family (Xi)i∈I of elements of P, we’ll often write Σi∈IXi fortheir join. A typical finite join is written X1 + · · · + Xk while the empty join is theempty path set, the inactive process, written ∅.

A second important property of P is that any X ∈ P is the join of certain“prime” elements below it; P is a prime algebraic complete lattice [39]. Primes aredown-closures yPp = {p′ : p′ ≤P p} of individual elements p ∈ P, representing aprocess that may perform the computation path p. The map yP reflects as well aspreserves order, so that p ≤P p′ iff yPp ⊆ yPp′, and yP thus “embeds” P in P. Weclearly have yPp ⊆ X iff p ∈ X and prime algebraicity of P amounts to saying thatany X ∈ P is the union of its elements:

X =⋃

p∈X yPp . (1)

Finally, P is characterised abstractly as the free join-completion of P, meaning(i) it is join-complete and (ii) given any join-complete poset C and a monotone mapf : P → C, there is a unique join-preserving map f † : P → C such that the diagramon the left below commutes.

PyP //

f $$IIIIIII Pf†

��C

f †X =⋃

p∈X fp . (2)

We call f † the extension of f along yP. Uniqueness of f † follows from (1).Notice that we may instantiate C to any poset of the form Q, drawing our atten-

tion to join-preserving maps P → Q. By the freeness property (2), join-preservingmaps P → Q are in bijective correspondence with monotone maps P → Q. Eachelement Y of Q can be represented using its “characteristic function”, a monotonemap fY : Qop → 2 from the opposite order to the simple poset 0 < 1 such thatY = {q : fY q = 1} and Q ∼= [Qop,2]. Uncurrying then yields the following chain:

[P, Q] ∼= [P, [Qop,2]] ∼= [P × Qop,2] = [(Pop × Q)op,2] ∼= Pop × Q . (3)

So the order Pop × Q provides a function space type. We’ll now investigate whatadditional type structure is at hand.

1It is possible to work with straight posets rather than preorders—indeed, the mathematics isvirtually unaffected by this choice—but preorders will be helpful in dealing with recursive types inSect. 3.1.

4

2.1 Linear and Continuous Categories

Write Lin for the category with path orders P, Q, . . . as objects and join-preservingmaps P → Q as arrows. It turns out Lin has enough structure to be understood asa categorical model of Girard’s linear logic [19, 49]. Accordingly, we’ll call arrows ofLin linear maps.

Linear maps are represented by elements of Pop × Q and so by downwards-closedsubsets of the order Pop×Q. This relational presentation exposes an involution cen-tral in understanding Lin as a categorical model of classical linear logic. The involu-tion of linear logic, yielding P⊥ on an object P, is given by Pop; clearly, downwards-closed subsets of Pop ×Q correspond to downwards-closed subsets of (Qop)op × Pop,showing how maps P → Q correspond to maps Q⊥ → P⊥ in Lin. The tensor productof P and Q is given by the product of preorders P × Q; the singleton order 1 is aunit for tensor. Linear function space P ( Q is then obtained as Pop ×Q. ProductsP & Q are given by P + Q, the disjoint juxtaposition of preorders. An element ofP & Q can be identified with a pair (X,Y ) with X ∈ P and Y ∈ Q, which providesthe projections π1 : P & Q → P and π2 : P & Q → Q in Lin. More general, not justbinary, products &i∈I Pi with projections πj , for j ∈ I, are defined similarly. Fromthe universal property of products, a collection of maps fi : P → Pi, for i ∈ I, canbe tupled together to form a unique map 〈fi〉i∈I : P → &i∈I Pi with the propertythat πj ◦〈fi〉i∈I = fj for all j ∈ I. The empty product is given by the empty order Oand, as the terminal object, is associated with unique maps ∅P : P → O, constantly∅, for any path order P. All told, Lin is a ∗-autonomous category, so a symmetricmonoidal closed category with a dualising object, and has finite products (indeed,all products) as required by Seely’s definition of a model of linear logic [49].

In fact, Lin also has all coproducts, also given on objects P and Q by the juxta-position P+Q and so coinciding with products. Injection maps in1 : P → P+Q andin2 : Q → P+Q in Lin derive from the obvious injections into the disjoint sum of pre-orders. The empty coproduct is the empty order O which is then a zero object. Thiscollapse of products and coproducts highlights that Lin has arbitrary biproducts. Viathe isomorphism Lin(P, Q) ∼= Pop × Q, each homset of Lin can be seen as a com-mutative monoid with neutral element the always ∅ map, itself written ∅ : P → Q,and sum given by union, written +. Composition in Lin is bilinear in that, givenf, f ′ : P → Q and g, g′ : Q → R, we have (g+g′)◦(f +f ′) = g◦f +g◦f ′+g′◦f +g′◦f ′.Further, given a family of objects (Pα)α∈A, we have for each β ∈ A a diagram

Pβinβ

// Σα∈APα

πβoo such that

πβ ◦ inβ = 1Pβ,

πβ ◦ inα = ∅ if α 6= β, andΣα∈A(inα ◦ πα) = 1Σα∈APα .

(4)

Processes of type Σα∈APα may intuitively perform computation paths in any of thecomponent path orders Pα.

We see that Lin is rich in structure. But linear maps alone are too restrictive.Being join-preserving, they in particular preserve the empty join. So, unlike e.g.prefixing, linear maps always send the inactive process ∅ to itself. Looking for abroader notion of maps between nondeterministic domains we follow the disciplineof linear logic and consider non-linear maps whose domain is under an exponential,

5

!. One choice of a suitable exponential for Lin is got by taking !P to be the preorderobtained as the free finite-join completion of P. Concretely, !P can be defined tohave finite subsets of P as elements with ordering given by �P, defined for arbitrarysubsets X,Y of P as follows:

X �P Y ⇐⇒def ∀p ∈ X.∃q ∈ Y. p ≤P q . (5)

When !P is quotiented by the equivalence induced by the preorder we obtain a posetwhich is the free finite-join completion of P. By further using the obvious inclusionof this completion into P, we get a map iP : !P → P sending a finite set {p1, . . . , pn}to the join yPp1 + · · · + yPpn. Such finite sums of primes are the finite (isolated,compact) elements of P. The map iP assumes the role of yP above. For any X ∈ Pand P ∈ !P, we have iPP ⊆ X iff P �P X, and X is the directed join of the finiteelements below it:

X =⋃

P�PX iPP . (6)

Further, P is the free directed-join completion of !P (also known as the ideal com-pletion of !P). This means that given any monotone map f : !P → C for somedirected-join complete poset C, there is a unique directed-join preserving (i.e. Scottcontinuous) map f ‡ : P → C such that the diagram below commutes.

!PiP //

f $$IIIIIII Pf‡

��C

f ‡X =⋃

P�PX fP . (7)

Uniqueness of f ‡, called the extension of f along iP, follows from (6). As before,we can replace C by a nondeterministic domain Q and by the freeness properties(2) and (7), there is a bijective correspondence between linear maps !P → Q andcontinuous maps P → Q.

We define the category Cts to have path orders P, Q, . . . as objects and continu-ous maps P → Q as arrows. These arrows allow more process operations, includingprefixing, to be expressed. The structure of Cts is induced by that of Lin via anadjunction between the two categories.

2.2 An Adjunction

As linear maps are continuous, Cts has Lin as a sub-category, one which shares thesame objects. We saw above that there is a bijection

Lin(!P, Q) ∼= Cts(P, Q) . (8)

This is in fact natural in P and Q so an adjunction with the inclusion Lin ↪→ Ctsas right adjoint. Via (7) the map y!P : !P → !P extends to a map ηP = y‡!P : P → !Pin Cts. Conversely, iP : !P → P extends to a map εP = i†P : !P → P in Lin using (2).These maps are the unit and counit, respectively, of the adjunction:

ηPX =⋃

P�PX y!PP εPX =⋃

P∈X iPP (9)

The left adjoint is the functor ! : Cts → Lin given on arrows f : P → Q by(ηQ ◦f ◦ iP)† : !P → !Q. The bijection (8) then maps g : !P → Q in Lin to g = g ◦ηP :

6

P → Q in Cts while its inverse maps f : P → Q in Cts to f = εQ ◦ !f in Lin. We callg and f the transpose of g and f , respectively; of course, transposing twice yieldsback the original map. As Lin is a sub-category of Cts, the counit is also a map inCts. We have εP ◦ ηP = 1P and 1!P ≤ ηP ◦ εP, the pointwise order, for all objects P.

Right adjoints preserve products, and so Cts has finite products given as in Lin.Hence, Cts is a symmetric monoidal category like Lin, and in fact, our adjunction issymmetric monoidal (see [31] pp. 251–6). In detail, there are isomorphisms of pathorders,

k : 1 ∼= !O and mP,Q : !P × !Q ∼= !(P & Q) , (10)

with mP,Q mapping a pair (P,Q) ∈ !P × !Q to the union in1 P ∪ in2 Q; any elementof !(P & Q) can be written on this form. These isomorphisms induce isomorphismswith the same names in Lin with m natural. Moreover, k and m commute with theassociativity, symmetry and unit maps of Lin and Cts, such as sLin

P,Q : P×Q ∼= Q×P

and rCtsQ : Q & O ∼= Q, making ! symmetric monoidal. It then follows [28] that the

inclusion Lin ↪→ Cts is symmetric monoidal as well, and that the unit and counitare monoidal transformations. Thus, there are maps

l : O → 1 and nP,Q : P & Q → P × Q (11)

in Cts, with n natural, corresponding to k and m above; l maps ∅ to {∗} while nP,Q

is the extension h‡ of the map h(in1 P ∪ in2 Q) = iPP × iQQ. The unit also makesthe diagrams below commute and the counit satisfies similar properties.

P & QηP&ηQ

vvmmmmmmmm ηP&Q

((QQQQQQQQ Ol //

ηO $$IIIIIII 1

k��!P & !Q n!P,!Q

// !P × !Q mP,Q

// !(P & Q) !O

(12)

The diagram on the left can be written as strP,Q ◦ (1P & ηQ) = ηP&Q where str , thestrength of ! viewed as a monad on Cts, is the natural transformation

P & !QηP&1!Q// !P & !Q

n!P,!Q // !P × !QmP,Q // !(P & Q) . (13)

Finally, recall that the category Lin is symmetric monoidal closed so that thefunctor (Q ( −) is right adjoint to (− × Q) for any object Q. Together with thenatural isomorphism m this provides a right adjoint (Q → −), defined by (!Q ( −),to the functor (− & Q) in Cts via the chain

Cts(P & Q, R) ∼= Lin(!(P & Q), R) ∼= Lin(!P × !Q, R)∼= Lin(!P, !Q ( R) ∼= Cts(P, !Q ( R) = Cts(P, Q → R) (14)

—natural in P and R. This demonstrates that Cts is cartesian closed, as is wellknown. The adjunction between Lin and Cts now satisfies the conditions put for-ward by Benton, Bierman, Hyland, and de Paiva for a categorical model of intu-itionistic linear logic, strengthening those of Seely [5, 4, 49]; see also [33] for a recentsurvey of such models.

7

3 HOPLA

HOPLA is a typed process language directly suggested by the structure of the cat-egory Cts [41, 42]. A typing judgement

x1 : P1, . . . , xk : Pk ` t : Q (15)

means that a process t yields computation paths in Q once processes with compu-tation paths in P1, . . . , Pk are assigned to the variables x1, . . . , xk respectively.

3.1 Denotational Semantics

Types are given by the grammar

T ::= T1 → T2 | Σα∈ATα | !T | T | µj~T .~T . (16)

The symbol T is drawn from a set of type variables used in defining recursive types;closed type expressions are interpreted as path orders. Using vector notation, µj

~T .~Tabbreviates µjT1, . . . , Tk.(T1, . . . , Tk) and is interpreted as the j-component, for 1 ≤j ≤ k, of “the least” solution to the defining equations T1 = T1, . . . , Tk = Tk, inwhich the expressions T1, . . . , Tk may contain the Tj ’s. What “the least” means willbe explained below. We shall write µ~T .~T as an abbreviation for the k-tuple withj-component µj

~T .~T, and confuse a closed expression for a path order with the pathorder itself.

Simultaneous recursive equations for path orders can be solved using informationsystems [48, 30]. Here, it will be convenient to give a concrete, inductive character-isation based on a language of paths:

p, q ::= P 7→ q | βp | P | abs p . (17)

Above, P ranges over finite sets of paths. We use P 7→ q as notation for pairs in thefunction space (!P)op × Q. The language is complemented by formation rules usingjudgements p : P, meaning that p belongs to P, displayed below alongside rulesdefining the ordering on P using judgements p ≤P p′. Recall that P �P P ′ means∀p ∈ P.∃p′ ∈ P ′. p ≤P p′.

P : !P q : Q

P 7→ q : P → Q

P ′ ≤!P P q ≤Q q′

P 7→ q ≤P→Q P ′ 7→ q′

p : Pβ β ∈ A

βp : Σα∈APα

p ≤Pβp′ βinA

βp ≤Σα∈APα βp′

p1 : P · · · pn : P

{p1, . . . , pn} : !PP �P P ′

P ≤!P P ′

p : Tj[µ~T .~T/~T ]

abs p : µj~T .~T

p ≤Tj [µ~T .~T/~T ]

p′

abs p ≤µj

~T .~Tabs p′

(18)

Using information systems as in [30] yields the same representation, except for thetagging with abs in recursive types, done to help in the proof of adequacy in Sec-tion 3.4.1. So rather than the straight equality between a recursive type and its un-folding which we are used to from [30], we get an isomorphism abs : Tj[µ~T .~T/~T ] ∼=µj

~T .~T whose inverse we call rep.

8

The raw syntax of terms is given by

t, u ::= x | rec x.t | Σi∈Iti | λx.t | t u | βt | πβt | !t | [u > !x ⇒ t] | abs t | rep t . (19)

The variable x in the “match” term [u > !x ⇒ t] is a binding occurrence and sobinds later occurrences of the variable in the body t. We shall take for grantedan understanding of free and bound variables, and substitution on raw terms. Thesyntax will be subject to typing constraints below.

Let P1, . . . , Pk, Q be closed type expressions and x1, . . . , xk distinct variables. Asyntactic judgement x1 : P1, . . . , xk : Pk ` t : Q stands for a map

Jx1 : P1, . . . , xk : Pk ` t : QK : P1 & · · · & Pk → Q (20)

in Cts. We’ll write Γ, or Λ, for an environment list x1 : P1, . . . , xk : Pk and most oftenabbreviate the denotation to P1&· · ·&Pk

t−→ Q, or Γ t−→ Q, or even JtK, suppressing thetype information. When the environment list is empty, the corresponding productis the empty path order O.

The term-formation rules are displayed below alongside their interpretations asconstructors on maps of Cts, taking the maps denoted by the premises to thatdenoted by the conclusion (cf. [8]). We assume that the variables in any environmentlist are distinct.

Structural rules. The rules handling environment lists (identity, weakening, exchange,and contraction) are given as follows:

x : P ` x : P P1P−→ P

(21)

Γ ` t : Q

Γ, x : P ` t : Q

Γ t−→ Q

Γ & Pt&∅P−−−→ Q & O

rCtsQ−−−→ Q

(22)

Γ, y : Q, x : P,Λ ` t : R

Γ, x : P, y : Q,Λ ` t : R

Γ & Q & P & Λ t−→ R

Γ & P & Q & Λ t◦(1Γ&sCtsP,Q &1Λ)−−−−−−−−−−→ R

(23)

Γ, x : P, y : P ` t : Q

Γ, z : P ` t[z/x, z/y] : Q

Γ & P & Pt−→ Q

Γ & P1Γ&∆P−−−−→ Γ & P & P

t−→ Q(24)

In the formation rule for contraction (24), the variable z must be fresh; the map ∆P

is the usual diagonal, given as 〈1P, 1P〉.Recursive definition. Since each P is a complete lattice, it admits least fixed-pointsof continuous maps. If f : P → P is continuous, it has a least fixed-point, fix f ∈ Pobtained as

⋃n∈ω fn(∅). This allows us to interpret recursively defined processes:

Γ, x : P ` t : P

Γ ` rec x.t : P

Γ & Pt−→ P

Γ fix F−−−→ P(25)

Here, fix F is the fixpoint in Cts(Γ, P) ∼= Γ → P of the continuous operation Fmapping g : Γ → P in Cts to the composition

Γ ∆Γ−−→ Γ & Γ 1Γ&g−−−→ Γ & Pt−→ P . (26)

9

Nondeterministic sum. Each path order P is associated with a join operation, Σ :&i∈I P → P in Cts taking a tuple 〈ti〉i∈I to the nondeterministic sum Σi∈Iti in P.We’ll write ∅ and t1 + · · · + tk for finite sums.

Γ ` tj : P all j ∈ I

Γ ` Σi∈Iti : P

Γ tj−→ P all j ∈ I

Γ 〈ti〉i∈I−−−−→ &i∈I PΣ−→ P

(27)

Function space. As noted at the end of Sect. 2.2, the category Cts is cartesian closedwith function space P → Q. Thus, there is a 1-1 correspondence curry from mapsP & Q → R to maps P → (Q → R) in Cts; its inverse is called uncurry . We obtainapplication, app : (P → Q) & P → Q as uncurry(1P→Q).

Γ, x : P ` t : Q

Γ ` λx.t : P → Q

Γ & Pt−→ Q

Γ curry t−−−−→ P → Q(28)

Γ ` t : P → Q Λ ` u : P

Γ,Λ ` t u : Q

Γ t−→ P → Q Λ u−→ P

Γ & Λ t&u−−→ (P → Q) & Papp−−→ Q

(29)

Sum type. The category Cts does not have coproducts, but we can build a useful sumtype out of the biproduct of Lin. The properties (4) are obviously also satisfied inCts, even though the construction is universal only in the subcategory of linear mapsbecause composition is generally not bilinear in Cts. We’ll write O and P1 + · · ·+Pk

for the empty and finite sum types. The product P1 & P2 of [41] with pairing (t, u)and projection terms fst t, snd t can be encoded as, respectively, P1 + P2, 1t + 2uand π1t, π2t.

Γ ` t : Pβ β ∈ A

Γ ` βt : Σα∈APα

Γ t−→ Pβ β ∈ A

Γ t−→ Pβinβ−−→ Σα∈APα

(30)

Γ ` t : Σα∈APα β ∈ A

Γ ` πβt : Pβ

Γ t−→ Σα∈APα β ∈ A

Γ t−→ Σα∈APαπβ−→ Pβ

(31)

Prefixing. The adjunction between Lin and Cts provides a type constructor, !(−),for which the unit ηP : P → !P and counit εP : !P → P play a role in interpreting termconstructors and deconstructors, respectively. The behaviour of ηP with respect tomaps of Cts fits that of an anonymous prefix operation. We’ll say that ηP maps u oftype P to a “prefixed” process !u of type !P; intuitively, the process !u will be ableto perform an action, which we call !, before continuing as the process u.

Γ ` u : P

Γ ` !u : !PΓ u−→ P

Γ u−→ PηP−→ !P

(32)

By the universal property of ηP, if t of type Q has a free variable of type P, andso is interpreted as a map t : P → Q in Cts, then the transpose t = εQ ◦ !t is theunique map !P → Q in Lin such that t = t ◦ ηP. With u of type !P, we’ll write[u > !x ⇒ t] for tu. Intuitively, this construction “tests” or matches u against thepattern !x and passes the results of successful matches for x on to t. Indeed, firstprefixing a term u of type P and then matching yields a successful match u for x

10

as t(ηPu) = tu. By linearity of t, the possibly multiple results of successful matchesare nondeterministically summed together; the denotations of [Σi∈Iui > !x ⇒ t] andΣi∈I [ui > !x ⇒ t] are identical.

The above clearly generalises to the case where u is an open term, but if t hasfree variables other than x, we need to make use of the strength map given by (13),see Proposition 3.5 below.

Γ, x : P ` t : Q Λ ` u : !PΓ,Λ ` [u > !x ⇒ t] : Q

Γ & Pt−→ Q Λ u−→ !P

Γ & Λ 1Γ&u−−−→ Γ & !P strΓ,P−−−→ !(Γ & P) t−→ Q(33)

Recursive type definitions. Folding and unfolding recursive types is accompanied byterm constructors abs and rep:

Γ ` t : Tj[µ~T .~T/~T ]

Γ ` abs t : µj~T .~T

Γ t−→ Tj [µ~T .~T/~T ]

Γ t−→ Tj [µ~T .~T/~T ] abs−−→ µj~T .~T

(34)

Γ ` t : µj~T .~T

Γ ` rep t : Tj[µ~T .~T/~T ]

Γ t−→ µj~T .~T

Γ t−→ µj~T .~T

rep−−→ Tj [µ~T .~T/~T ](35)

3.2 Useful Identities

We provide some technical results about the path semantics which are used in theproofs of full abstraction and soundness below. They are also useful for reasoningabout encodings of process calculi, see Sect. 3.6.

Lemma 3.1 (Substitution) Suppose Γ, x : P ` t : Q and Λ ` u : P with Γ and Λdisjoint. Then Γ,Λ ` t[u/x] : Q with denotation given by the composition

Γ & Λ 1Γ&u−−−→ Γ & Pt−→ Q . (36)

Corollary 3.2 Application amounts to substitution. In the situation of the substi-tution lemma, we have J(λx.t) uK = Jt[u/x]K.

Corollary 3.3 Recursion amounts to unfolding. Suppose Γ, x : P ` t : P. ThenΓ ` t[rec x.t/x] : P and Jrec x.tK = Jt[rec x.t/x]K.

Proof. By renaming variables y of Γ to y′ and y′′ we get Γ′, x : P ` t′ : P andΓ′′, x : P ` t′′ : P with Γ′ and Γ′′ disjoint. Then by the substitution lemma, Γ′,Γ′′ `t′[rec x.t′′/x] : P with denotation given by

Γ′ & Γ′′ 1Γ′&rec x.t′′−−−−−−−→ Γ′ & Pt′−→ P . (37)

By suitable use of exchange and contraction, substituting y for y′ and y′′, we getΓ ` t[rec x.t/x] : P with denotation

Γ ∆Γ−−→ Γ & Γ 1Γ&rec x.t−−−−−−→ Γ & Pt−→ P . (38)

This is the same as F (fix F ) where fix F is the denotation of rec x.t, and by propertyof the fixed-point, F (fix F ) = fix F as wanted. 2

11

Proposition 3.4 From the properties of the biproduct we get:

Jπβ(βt)K = JtK

Jπα(βt)K = ∅ if α 6= β

JΣα∈Aα(πα(t))K = JtK

(39)

In addition, Jβ(Σi∈Iti)K = JΣi∈I(βti)K and Jπβ(Σi∈Iti)K = JΣi∈I(πβti)K by linearityof injection and projection.

Proposition 3.5 The prefix match satisfies the properties:

J[!u > !x ⇒ t]K = Jt[u/x]KJ[Σi∈Iui > !x ⇒ t]K = JΣi∈I [ui > !x ⇒ t]K

(40)

Proof. By the properties of str and t, and using the substitution lemma, we have

[!u > !x ⇒ t] = t ◦ strΓ,P ◦(1Γ & (ηP ◦ u))= t ◦ strΓ,P ◦(1Γ & ηP) ◦ (1Γ & u)= t ◦ ηΓ&P ◦ (1Γ & u)= t ◦ (1Γ & u)= t[u/x] .

(41)

Note that we are e.g. abbreviating JtK to t. Linearity of t and mΓ,P and naturalityof n yields

[Σi∈Iui > !x ⇒ t] = t ◦ strΓ,P ◦(1Γ & Σi∈Iui)= t ◦ mΓ,P ◦ n!Γ,!P ◦ (ηΓ & 1!P) ◦ (1Γ & Σi∈Iui)= t ◦ mΓ,P ◦ n!Γ,!P ◦ (ηΓ & Σi∈Iui)= t ◦ mΓ,P ◦ (ηΓ × Σi∈Iui) ◦ nΓ,Λ

= Σi∈I(t ◦ mΓ,P ◦ (ηΓ × ui) ◦ nΓ,Λ)= Σi∈I(t ◦ mΓ,P ◦ n!Γ,!P ◦ (ηΓ & ui))= Σi∈I [ui > !x ⇒ t]

(42)

—as wanted. 2

3.3 Full Abstraction

We define a program to be a closed term t of type !O. A (Γ, P)-program context C isa term with holes into which a term t with Γ ` t : P may be put to form a program` C(t) : !O. The denotational semantics gives rise to a type-respecting contextualpreorder [38]:

Definition 3.6 Suppose Γ ` t1 : P and Γ ` t2 : P. We say that t1 and t2 are relatedby contextual preorder, written t1 <∼ t2, iff for all (Γ, P)-program contexts C, wehave JC(t1)K 6= ∅ =⇒ JC(t2)K 6= ∅. If both t1 <∼ t2 and t2 <∼ t1, we say that t1 andt2 are contextually equivalent.

Contextual equivalence coincides with path equivalence, as do the associated pre-orders:

12

Theorem 3.7 (Full abstraction) Suppose Γ ` t1 : P and Γ ` t2 : P. Then

Jt1K ⊆ Jt2K ⇐⇒ t1 <∼ t2 . (43)

Proof. Suppose Jt1K ⊆ Jt2K and let C be a (Γ, P)-program context with JC(t1)K 6= ∅.As Jt1K ⊆ Jt2K we have JC(t2)K 6= ∅ by compositionality and monotonicity, and sot1 <∼ t2 as wanted.

To prove the converse we define for each path p : P a closed term tp of type P anda (O, P)-program context Cp that respectively “realise” and “consume” the path p,by induction on the structure of p.2 We’ll also need realisers t′P and consumers C ′

P

of finite sets of paths:

tP 7→q ≡def λx.[C ′P (x) > !x′ ⇒ tq]

tβp ≡def βtp

tP ≡def !t′Ptabs p ≡def abs tp

CP 7→q ≡def Cq(− t′P )Cβp ≡def Cp(πβ−)CP ≡def [− > !x ⇒ C ′

P (x)]Cabs p ≡def Cp(rep −)

t′{p1,...,pn} ≡def tp1 + · · · + tpn

C ′{p1,...,pn} ≡def [Cp1 > !x1 ⇒ · · · ⇒ [Cpn > !xn ⇒ !∅] · · · ]

(44)

Note that t′∅ ≡ ∅ and C ′∅ ≡ !∅. Although the syntax of t′P and C ′

P depends ona choice of permutation of the elements of P , the semantics obtained for differentpermutations is the same. Indeed, we have (z being a fresh variable):

JtpK = yPp

Jt′P K = iPP

Jλz.Cp(z)K = yP→!O({p} 7→ ∅)Jλz.C ′

P (z)K = yP→!O(P 7→ ∅)(45)

It then follows from the substitution lemma that for any p : P and ` t : P,

p ∈ JtK ⇐⇒ JCp(t)K 6= ∅ . (46)

Suppose t1 <∼ t2 with t1 and t2 closed. Given any p ∈ Jt1K we have JCp(t1)K 6= ∅ andso using t1 <∼ t2, we get JCp(t2)K 6= ∅, so that p ∈ Jt2K. It follows that Jt1K ⊆ Jt2K.

As for open terms, suppose Γ ≡ x1 : P1, . . . , xk : Pk. Writing λ~x.t1 for the closedterm λx1. · · ·λxk.t1 and likewise for t2, we get

t1 <∼ t2 =⇒ λ~x.t1 <∼ λ~x.t2=⇒ Jλ~x.t1K ⊆ Jλ~x.t2K=⇒ Jt1K ⊆ Jt2K .

(47)

The proof is complete. 2

3.4 Operational Semantics

HOPLA can be given a straightforward operational semantics [42] using actionsdefined by the grammar

a ::= u 7→ a | βa | ! | abs a . (48)2We have recently become aware that this technique has been applied by Guy McCusker to prove

full abstraction for a version of Idealized Algol [32].

13

P : t[rec x.t/x] a−→ t′

P : rec x.ta−→ t′

P : tja−→ t′

P : Σi∈Itia−→ t′

j ∈ I

Q : t[u/x] a−→ t′

P → Q : λx.tu7→a−−−→ t′

P → Q : tu7→a−−−→ t′

Q : t ua−→ t′

Pβ : ta−→ t′

Σα∈APα : βtβa−−→ t′

Σα∈APα : tβa−−→ t′

Pβ : πβta−→ t′

!P : !t !−→ t

!P : u!−→ u′ Q : t[u′/x] a−→ t′

Q : [u > !x ⇒ t] a−→ t′

Tj [µ~T .~T/~T ] : ta−→ t′

µj~T .~T : abs t

abs a−−−→ t′µj

~T .~T : tabs a−−−→ t′

Tj [µ~T .~T/~T ] : rep ta−→ t′

Figure 1: Operational rules

We assign types to actions a using a judgement of the form P : a : P′. Intuitively, afterperforming the action a, what remains of a computation path in P is a computationpath in P′:

` u : P Q : a : P′

P → Q : u 7→ a : P′Pβ : a : P′ β ∈ A

Σα∈APα : βa : P′ !P : ! : P

Tj[µ~T .~T/~T ] : a : P′

µj~T .~T : abs a : P′

(49)Notice that in P : a : P′, the type P′ is unique given P and a. The operational rulesof Fig. 1 define a relation P : t

a−→ t′ where ` t : P and P : a : P′. By rule inductionon the transition rules, we have

Proposition 3.8 If P : ta−→ t′ with P : a : P′, then ` t′ : P′.

Accordingly, we’ll write P : ta−→ t′ : P′ when P : t

a−→ t′ and P : a : P′.

3.4.1 Soundness and Adequacy

For P : a : P′ we define a linear map a∗ : P → !P′ which intuitively maps a process tof type P to a representation of its possible successors after performing the action a.In order to distinguish between, say, the successor ∅ and no successors, a∗ embedsinto the type !P′ rather than using P′ itself. For instance, the successors after action! of the processes !∅ and ∅ are, respectively,

!∗J!∅K = 1!P(ηP∅) = ηP∅ and !∗J∅K = 1!P∅ = ∅ . (50)

It will be convenient to treat a∗ as a syntactic operation and so we define a terma∗t such that Ja∗tK = a∗JtK:

(u 7→ a)∗ = a∗ ◦ app ◦ (− & JuK)(βa)∗ = a∗ ◦ πβ

!∗ = 1!P

(abs a)∗ = a∗ ◦ rep

(u 7→ a)∗t ≡ a∗(t u)(βa)∗t ≡ a∗(πβt)

!∗t ≡ t

(abs a)∗t ≡ a∗(rep t)

(51)

14

The syntactic operation a∗ can be viewed as providing a context which reducesa-transitions to !-transitions. Indeed, by a simple induction on a, we can prove

Lemma 3.9 P : ta−→ t′ : P′ ⇐⇒ !P′ : a∗t !−→ t′ : P′.

Writing P : ta−→ when there exists t′ such that P : t

a−→ t′ : P′, the following areequivalent:

(i) P : ta−→ (ii) !P′ : a∗t !−→ (iii) !O : C∅(a∗t) !−→ . (52)

Here, C∅ is the (O, !P′)-program context [− > !x ⇒ !∅] from the proof of fullabstraction.

Thus, observations of general transitions and !-transitions are reducible to ob-servations of !-transitions at type !O. We’ll exploit this below to give an operationalformulation of full abstraction.

Proposition 3.10 (Soundness) If P : ta−→ t′ : P′, then J!t′K ⊆ a∗JtK.

Proof. By rule-induction on the transition rules, see App. A. 2

We obtain an adequacy result using logical relations X EP t between subsets X ⊆ Pand closed terms of type P. Intuitively, X EP t means that all paths in X canbe “operationally realised” by t. Because of recursive types, these relations cannotbe defined by structural induction on the type P and we therefore employ a trickessentially due to Martin-Lof (see [53]). We define auxiliary relations p εP t betweenpaths p : P and closed terms t of type P, by induction on the structure of p:

X EP t ⇐⇒def ∀p ∈ X. p εP t (53)P 7→ q εP→Q t ⇐⇒def ∀u. (P EP u =⇒ q εQ t u) (54)βp εΣα∈APα t ⇐⇒def p εPβ

πβt (55)

P ε!P t ⇐⇒def ∃t′. !P : t!−→ t′ : P and P EP t′ (56)

abs p εµj

~T .~Tt ⇐⇒def p ε

Tj [µ~T .~T/~T ]rep t (57)

Lemma 3.11 (Main Lemma) Suppose ` t : P. Then JtK EP t.

Proof. By structural induction on terms, see App. B. 2

Proposition 3.12 (Adequacy) For ` t : !P we have JtK 6= ∅ ⇐⇒ !P : t!−→ .

Proof. The “⇐” direction follows from soundness. Assume JtK 6= ∅. Then becauseJtK is a downwards-closed subset of !P which has least element ∅, we must have∅ ∈ JtK. Thus ∅ ε!P t by Lemma 3.11, which implies the existence of a term t′ suchthat !P : t

!−→ t′ : P as wanted. 2

By (52), adequacy is equivalent to a∗JtK 6= ∅ ⇐⇒ P : ta−→ for general terms ` t : P.

15

3.4.2 Full Abstraction w.r.t. Operational Semantics

Adequacy allows an operational formulation of contextual equivalence. For programs` t : !O we have !O : t

!−→ iff JtK 6= ∅ by adequacy. Hence, two terms t1 and t2 withΓ ` t1 : P and Γ ` t2 : P are related by contextual preorder iff for all (Γ, P)-programcontexts C, we have !O : C(t1)

!−→ =⇒ !O : C(t2)!−→.

Full abstraction is often formulated in terms of this operational preorder. Witht1 and t2 as above, the inclusion Jt1K ⊆ Jt2K holds iff for all (Γ, P)-program contextsC, we have !O : C(t1)

!−→ =⇒ !O : C(t2)!−→.

3.5 Simulation

The operational semantics supports a standard bisimulation [44, 35]:

Definition 3.13 A type-respecting relation R on closed terms is a bisimulation ifthe following holds. If t1 R t2 with t1, t2 of the same type P, then

1. if P : t1a−→ t′1 : P′, then P : t2

a−→ t′2 : P′ for some t′2 such that t′1 R t′2;

2. if P : t2a−→ t′2 : P′, then P : t1

a−→ t′1 : P′ for some t′1 such that t′1 R t′2.

Bisimilarity, written ∼, is the largest bisimulation.

Bisimilarity is a congruence for HOPLA and coincides with notions of applicativebisimilarity [1] and higher order bisimilarity [51]—see [41].

The path semantics does not capture enough of the branching behaviour of pro-cesses to characterise bisimilarity (for that, the presheaf semantics is needed, seeSect. 6.1). As an example, the processes !∅ + !!∅ and !!∅ have the same denotation,but are clearly not bisimilar. However, using Hennessy-Milner logic we can link pathequivalence to simulation, obtained as in Definition 3.13, but leaving out condition2. In detail, we consider the fragment of Hennessy-Milner logic given by possibilityand finite conjunctions; it is characteristic for simulation equivalence in the case ofimage-finite processes [21]. With a ranging over actions, formulae are given by

φ ::= 〈a〉φ | ∧i≤n φi . (58)

The empty conjunction is written > and we sometimes write φ1 ∧ · · · ∧ φn for theconjunction

∧i≤n φi. We type formulae using judgements φ : P, the idea being that

only processes of type P should be described by formulae of type P.

P : a : P′ φ : P′

〈a〉φ : P

φi : P all i ≤ n∧i≤n φi : P

(59)

A typed notion of satisfaction, written t � φ : P, is defined by

t � 〈a〉φ : P ⇐⇒def ∃t′. P : ta−→ t′ : P′ and t′ � φ : P′

t �∧

i≤n φi : P ⇐⇒def t � φi : P for each i ≤ n .(60)

Note that > : P and t � > : P for all terms ` t : P.

16

Definition 3.14 Suppose ` t1 : P and ` t2 : P. We say that t1 and t2 are relatedby the logical preorder, written t1 <∼L t2, iff for all formulae φ : P we have t1 � φ :P =⇒ t2 � φ : P. If both t1 <∼L t2 and t2 <∼L t1, we say that t1 and t2 are logicallyequivalent.

As a corollary of full abstraction and adequacy, we can show that logical equivalencecoincides with contextual equivalence:

Corollary 3.15 For closed terms t1 and t2 of the same type P,

t1 <∼ t2 ⇐⇒ t1 <∼L t2 . (61)

Proof. To each formula φ : P we can construct a (O, P)-program context Cφ withthe property that

!O : Cφ(t) !−→ ⇐⇒ t � φ : P . (62)

Define

C〈u 7→a〉φ ≡def C〈a〉φ(− u) ,

C〈βa〉φ ≡def C〈a〉φ(πβ−) ,

C〈!〉φ ≡def [− > !x ⇒ Cφ(x)] ,

C〈abs a〉φ ≡def C〈a〉φ(rep −) ,

C∧i≤n φi

≡def [Cφ1 > !x1 ⇒ · · · ⇒ [Cφn > !xn ⇒ !∅] · · · ] .

(63)

It follows by (62) that t1 <∼L t2 iff for all formulae φ : P we have that !O : Cφ(t1)!−→

implies !O : Cφ(t2)!−→. The direction “⇒” then follows by adequacy. For the converse,

we observe that the program contexts Cp used in the full-abstraction proof are allsubsumed by the contexts Cφ. In detail, using the terms t′P realising finite sets ofpaths, we can define actions P : ap : P′ and formulae φp : P by induction on pathsp : P as follows:

aP 7→q ≡def t′P 7→ aq

aβp ≡def βap

aP ≡def !aabs p ≡def abs ap

φP 7→q ≡def 〈aP 7→q〉φq

φβp ≡def 〈aβp〉φp

φP ≡def 〈aP 〉∧

p∈P φp

φabs p ≡def 〈aabs p〉φp

(64)

We then have Cφp ≡ Cp by induction on the path p. Thus, t1 <∼L t2 implies Jt1K ⊆Jt2K, and so t1 <∼ t2 by full abstraction. 2

3.6 Expressive Power

HOPLA does not have many features typical of process calculi built-in, beyond thatof a nondeterministic sum and a prefix operation. It is therefore notable that we canexpress many kinds of concurrent processes in the language. We start by encodingthe “prefix-sum” construct of [41], useful for subsequent examples. We’ll dispensewith the abstract syntax abs and rep for brevity.

17

3.6.1 Prefixed Sum

In the original presentation of HOPLA, prefixing and the sum type where partof a single construct, the prefixed sum [41]. Consider a family of types (Pα)α∈A.Their prefixed sum is the type Σα∈Aα.Pα which stands for Σα∈A!Pα. This typedescribes computation paths in which first an action β ∈ A is performed beforeresuming as a computation path in Pβ. We’ll write α1.Pα1 + · · · + αk.Pαk

for atypical finite prefixed sum. The prefixed sum is associated with prefix operationstaking a process t of type Pβ to β.t ≡def β(!t) of type Σα∈Aα.Pα as well as a prefixmatch [u > β.x ⇒ t] ≡def [πβu > !x ⇒ t], where u has prefix-sum type, x has typePβ and t generally involves the variable x.

Proposition 3.16 Using Propositions 3.4 and 3.5, we get:

J[β.u > β.x ⇒ t]K = Jt[u/x]K (65)J[α.u > β.x ⇒ t]K = ∅ if α 6= β (66)

J[Σi∈Iui > β.x ⇒ t]K = JΣi∈I [ui > β.x ⇒ t]K (67)

Note that the prefixed sum is obtained using the biproduct, so coproduct, ofLin. This implies that prefixed sum is a “weak coproduct” in Cts. Because of theuniversal property of the coproduct in Lin and using the adjunction between Linand Cts, there is a chain of isomorphisms

Lin(Σα∈A!Pα, Q) ∼= Πα∈ALin(!Pα, Q) ∼= Πα∈ACts(Pα, Q) (68)

—natural in Q. Hence, linear maps f : Σα∈A!Pα → Q from the prefixed sum in Ctsare in bijective correspondence with tuples 〈fα〉α∈A of maps from the componentsof the sum to Q in Cts. Thus, the prefixed sum is a coproduct in Cts but for thefact that the required mediating morphism is unique only within the subcategory oflinear maps.

3.6.2 CCS

As in CCS [35], let N be a set of names and N the set of complemented names{n | n ∈ N}. Let l range over labels L =def N ∪ N , with complementation extendedto L by taking ¯n =def n, and let τ be a distinct label. The type of CCS processescan then be specified as the solution to the equation

P = τ.P + Σn∈Nn.P + Σn∈N n.P . (69)

Below, we let α range over L ∪ {τ}. The terms of CCS are translated into HOPLAby the function HJ−K,

HJxK ≡def x

HJrec x.tK ≡def rec x.HJtK

HJΣi∈ItiK ≡def Σi∈IHJtiK

HJα.tK ≡def α.HJtK

HJt|uK ≡def Par HJtK HJuK

HJt \ SK ≡def ResS HJtK

HJt[f ]K ≡def Relf HJtK

(70)

18

Here, Par : P → (P → P) (curried for convenience), ResS : P → P, and Relf : P → Pare abbreviations for the following recursively defined processes:

Par ≡def rec p.λx.λy.Σα[x > α.x′ ⇒ α.(p x′ y)] +Σα[y > α.y′ ⇒ α.(p x y′)] +Σl[x > l.x′ ⇒ [y > l.y′ ⇒ τ.(p x′ y′)]]

(71)

ResS ≡def rec r.λx.Σα6∈(S∪S)[x > α.x′ ⇒ α.(r x′)] (72)

Relf ≡def rec r.λx.Σα[x > α.x′ ⇒ f(α).(r x′)] (73)

The operational semantics for CCS induced by the translation agrees with that givenby Milner:

Proposition 3.17 If tα−→ t′ is derivable in CCS, then P : HJtK

α!−→ HJt′K : P.Conversely, if P : HJtK

a−→ u : P, then a ≡ α! and u ≡ HJt′K for some α, t′ such thatt

α−→ t′ according to CCS.

It follows that the translations of two CCS terms are bisimilar in HOPLA iff theyare strongly bisimilar in CCS.

We can recover Milner’s expansion law [34] directly from the properties of theprefixed sum. Write t|u for the application Par t u, where t and u are terms of typeP. Suppose

JtK = JΣαΣi∈I(α)α.tiK and JuK = JΣαΣj∈J(α)α.ujK . (74)

Using Corollaries 3.3 and 3.2, then Proposition 3.16, Jt|uK equals the denotation ofthe expansion

ΣαΣi∈I(α)α.(ti|u) + ΣαΣj∈J(α)α.(t|uj) + ΣlΣi∈I(l),j∈J(l)τ.(ti|uj) . (75)

3.6.3 Higher-Order CCS

The language considered by Hennessy [22] is like CCS but where processes are passedat channels C; the language can be seen as an extension of Thomsen’s CHOCS [51].For a translation into HOPLA, we follow Hennessy in defining types that satisfy theequations3

P = τ.P + Σc∈C c.C + Σc∈Cc.F C = P & P F = P → P . (76)

We are chiefly interested in the parallel composition of processes, ParP,P of typeP & P → P. But parallel composition is really a family of mutually dependent op-erations also including components such as ParF,C of type F & C → P to say howabstractions compose in parallel with concretions etc. All these components canbe tupled together in a product and parallel composition defined as a simultane-ous recursive definition. Writing (−|−) for all the components of the solution, thedenotation of a parallel composition t|u of processes equals the denotation of theexpansion

Σα[t > α.x ⇒ α.(x|u)] +Σα[u > α.y ⇒ α.(t|y)] +Σc[t > c.f ⇒ [u > c.p ⇒ τ.((f π1p)|π2p)]] +Σc[t > c.p ⇒ [u > c.f ⇒ τ.(π2p|(f π1p))]] .

(77)

3See Page 10 for how to encode the binary product P & P.

19

In the summations, c ∈ C and α ranges over labels c, c, τ .The bisimulation induced on higher-order CCS terms is perhaps the one to be

expected; a corresponding bisimulation relation is defined like an applicative bisi-mulation but restricted to the types of processes P, concretions C, and abstractionsF.

In a similar way, we can encode Cardelli and Gordon’s Ambient Calculus withpublic names [10, 11], see [41]. HOPLA can thus express certain forms of mobility ofprocesses by virtue of allowing process passing. Another kind of mobility, mobilityof communication links, arises from name-generation as in the π-calculus [36]. In-spired by HOPLA, Francesco Zappa Nardelli and GW have defined a higher-orderprocess language with name-generation, allowing encodings of full ambient calcu-lus and π-calculus. Bisimulation properties and semantic underpinnings are beingdeveloped [55].

4 Linearity

The move from Lin to Cts has allowed us to interpret prefixing. In fact, we can domuch the same more cheaply.

The category Cts is obtained from Lin using an exponential which allows ar-bitrary copying in linear logic. An element P ∈ !P consists of several, possibly no,computation paths of P. An element of the path order !P can therefore be un-derstood intuitively as describing a compound computation path associated withrunning several copies of a process of type P. Maps P → Q of Cts, corresponding tomaps !P → Q of Lin, allow their input to be copied, as witnessed by the fact thatthe type system of HOPLA allows contraction.

However, copying is generally restricted in a distributed computation. A commu-nication received is most often the result of a single run of the process communicatedwith. Of course, process code can be sent and copied. But generally the receiver hasno possibility of rewinding or copying the state of an ongoing computation. On theother hand, ignoring another process is often easy. For this reason, many operationsof distributed computation have the following property [40]:

Affine linearity: a computation path of the process arising from the ap-plication of an operation to an input process has resulted from at mostone computation path of the input process.

Note in particular that prefix operations are affine in this sense: if we wish to observejust the initial action of a process !t, no computation path of t is needed, thoughobserving any longer path will involve a (single) computation path of t.

Recall the diagram (2) which says that linear maps P → Q are determined bytheir values on single paths, elements of P. Via the adjunction between Lin and Cts,continuous maps P → Q are determined by their values on compound paths in !P(diagram (7)). To summarise:

20

• linear operations use a single path of the input;

• affine operations use at most one path of the input;

• continuous operations use any number of paths of the input.

Affine maps are defined by their values on singleton copies of paths togetherwith the empty path. Accordingly, affine maps derive from the lifting operation(−)⊥ adding a new element ⊥, to be thought of as the empty computation path,below a copy of a path order P to produce a path order P⊥. Abstractly, P⊥ is theempty-join completion of P; concretely, we can take P⊥ to contain the empty set,written ⊥, together with singletons {p} for p ∈ P, ordered by �P. There is an obviousinclusion of the empty-join completion of P into P, in the form of a map jP : P⊥ → Psending ⊥ to ∅ and {p} to yPp. We’ll use P to range over P⊥ in what follows. Themap jP assumes the role of iP; for any X ∈ P and P ∈ P⊥ we have jPP ⊆ X iffP �P X, and from (1) we get

X =⋃

p∈X yPp = ∅ ∪ ⋃p∈X yPp =

⋃P�PX jPP . (78)

This join is manifestly nonempty and in fact, P is the free closure of P⊥ undernonempty joins. This means that given any monotone map f : P⊥ → C for somenonempty-join complete poset C, there is a unique nonempty-join preserving (i.e.affine) map f § : P → C such that the diagram below commutes:

P⊥jP //

f %%JJJJJJJ Pf§

��C

f §X =⋃

P�PX fP . (79)

Uniqueness of f §, called the extension of f along jP, follows from (78). As before,we can replace C by a nondeterministic domain Q and by the freeness properties(2) and (79), there is a bijective correspondence between linear maps P⊥ → Q andaffine maps P → Q.

We define the category Aff to have path orders P, Q, . . . as objects and affinemaps P → Q as arrows. Again, the structure of Aff is induced by that of Lin via anadjunction between the two categories with the inclusion Lin ↪→ Aff (linear mapsare affine) as right adjoint:

Lin(P⊥, Q) ∼= Aff(P, Q) . (80)

The unit ηP : P → P⊥ in Aff , the counit εP : P⊥ → P in Lin, and the left adjoint(−)⊥ : Aff → Lin are obtained precisely as in Sect. 2.2.

Aff inherits products Σα∈APα with weak coproduct properties from Lin in thesame way as Cts does. However, unlike Cts, the category Aff is not cartesian closedbecause P⊥×Q⊥ and (P&Q)⊥ are not isomorphic in Lin. On the other hand we caneasily define a tensor operation ⊗ on Aff such that the path orders P⊥ × Q⊥ and(P ⊗Q)⊥ become isomorphic: simply take P⊗ Q to be (P⊥ ×Q⊥) \ {(⊥,⊥)}. Pathsof P ⊗ Q then consist of a (possibly empty) path of P and a (possibly empty) pathof Q, and so a path set X ∈ P ⊗ Q can be thought of as a process performing two

21

parallel computation paths, one of type P and one of type Q. On arrows f : P → P′

and g : Q → Q′ in Aff , we define f ⊗ g : P⊗Q → P′ ⊗Q′ as the extension h§ of themap h : P⊥ × Q⊥ ∼= (P ⊗ Q)⊥ → P′ ⊗ Q′ defined by

(P ′, Q′) ∈ h(P,Q) ⇐⇒ P ′ ∈ (ηP′ ◦ f ◦ jP)P and Q′ ∈ (ηQ′ ◦ g ◦ jQ)Q . (81)

The unit of tensor is the empty path order O. Elements X ∈ P correspond to mapsX : O → P in Aff and with Y ∈ Q, we’ll write X ⊗ Y for the element of P ⊗ Qpointed to by the map X⊗Y . The tensor makes Aff a symmetric monoidal category,and again, the adjunction (80) is symmetric monoidal. The obvious isomorphismsof path orders,

1 ∼= O⊥ and P⊥ × Q⊥ ∼= (P ⊗ Q)⊥ , (82)

induce natural isomorphisms in Lin and we obtain a monoidal strength P ⊗ Q⊥ →(P ⊗ Q)⊥ precisely as for Cts.

Finally, the monoidal closed structure of Lin together with the natural isomor-phism P⊥×Q⊥ ∼= (P⊗Q)⊥ provide a right adjoint (Q ( −), defined by (Q⊥ ( −),to the functor (− ⊗ Q) in Aff via the chain

Aff(P ⊗ Q, R) ∼= Lin((P ⊗ Q)⊥, R) ∼= Lin(P⊥ × Q⊥, R)∼= Lin(P⊥, Q⊥ ( R) ∼= Aff(P, Q⊥ ( R) = Aff(P, Q ( R) (83)

—natural in P and R. This demonstrates that Aff is symmetric monoidal closedand since the unit of the tensor is terminal, a model of affine linear logic, as alreadyobserved in [25].

5 Affine HOPLA

Affine HOPLA is a typed process language suggested by the structure of Aff [40].Even though we replace the type constructor !(−) by (−)⊥, we’ll continue to use !for the action in prefixing.

5.1 Denotational Semantics

Types are given by the grammar

T ::= T1 ( T2 | T1 ⊗ T2 | Σα∈ATα | T⊥ | T | µj~T .~T . (84)

Again, closed type expressions are interpreted as path orders. For the solution ofrecursive type definitions we proceed as for HOPLA, replacing finite sets of pathsby sets P of size at most one, writing ⊥ for the empty set.

p, q ::= P 7→ q | P ⊗ Q | βp | P | abs p (85)

Here, P ⊗ Q stands for a pair of paths P of P⊥ and Q of Q⊥ where at least oneis non-⊥. Formation rules are displayed below alongside rules defining the ordering.

22

Note that all path orders interpreting types of Affine HOPLA are posets because,unlike the exponential, the comonad (−)⊥ maps posets to posets.

P : P⊥ q : Q

P 7→ q : P ( Q

P ′ ≤P⊥ P q ≤Q q′

P 7→ q ≤P(Q P ′ 7→ q′

P : P⊥ Q : Q⊥ (P,Q) 6= (⊥,⊥)P ⊗ Q : P ⊗ Q

P ≤P⊥ P ′ Q ≤Q⊥ Q′

P ⊗ Q ≤P⊗Q P ′ ⊗ Q′

p : Pβ β ∈ A

βp : Σα∈APα

p ≤Pβp′ β ∈ A

βp ≤Σα∈APα βp′

⊥ : P⊥p : P

{p} : P⊥P �P P ′

P ≤P⊥ P ′

p : Tj[µ~T .~T/~T ]

abs p : µj~T .~T

p ≤Tj [µ~T .~T/~T ] p′

abs p ≤µj~T .~T abs p′

(86)

The raw syntax of terms is given by

t, u ::= x | rec x.t | Σi∈Iti | λx.t | t u | t ⊗ u | [u > x ⊗ y ⇒ t] |αt | παt | !t | [u > !x ⇒ t] | abs t | rep t .

(87)

The use of a pattern match term for tensor is similar to that in [2]. Let P1, . . . , Pk, Qbe closed type expressions and x1, . . . , xk distinct variables. A syntactic judgementx1 : P1, . . . , xk : Pk ` t : Q stands for a map

Jx1 : P1, . . . , xk : Pk ` t : QK : P1 ⊗ · · · ⊗ Pk → Q (88)

in Aff . When the environment list is empty, the corresponding tensor product is theempty path order O. The term-formation rules for Affine HOPLA are very similarto those for HOPLA, replacing & by ⊗ in the handling of environment lists and thetype constructors !(−) and → by (−)⊥ and (. We discuss the remaining differencesin the following.

New rules are introduced for the tensor operation:

Γ ` t : P Λ ` u : Q

Γ,Λ ` t ⊗ u : P ⊗ Q

Γ t−→ P Λ u−→ Q

Γ ⊗ Λ t⊗u−−→ P ⊗ Q(89)

Γ, x : P, y : Q ` t : R Λ ` u : P ⊗ Q

Γ,Λ ` [u > x ⊗ y ⇒ t] : R

Γ ⊗ P ⊗ Qt−→ R Λ u−→ P ⊗ Q

Γ ⊗ Λ 1Γ⊗u−−−→ Γ ⊗ P ⊗ Qt−→ R

(90)

One important difference is the lack of contraction for the affine language. Thisrestricts substitution of a common term into distinct variables, and so copying. Thecounterpart in the model is the absence of a suitable diagonal map from objects P

to P⊗P; for example, the map X 7→ X ⊗X from P to P ⊗ P is not in general a mapin Aff .4 Consider a term t(x, y), with its free variables x and y shown explicitly, forwhich

x : P, y : P ` t(x, y) : Q , (91)4To see this, assume that P is the prefixed sum α.O + β.O with paths abbreviated to α, β.

Confusing paths with the corresponding primes, the nonempty join α+β is sent by X 7→ X ⊗X toα ⊗ α + β ⊗ β + α ⊗ β + β ⊗ α instead of α ⊗ α + β ⊗ β as would be needed to preserve nonemptyjoins.

23

corresponding to a map P ⊗ Pt−→ Q in Aff . This does not generally entail that

x : P ` t(x, x) : Q—there may not be a corresponding map in Aff , for exampleif t(x, y) = x ⊗ y. Intuitively, if any computation for t involves both inputs, thenx : P ` t(x, x) : Q would use the same input twice and therefore cannot be interpretedin Aff . There is a syntactic condition on the occurrences of variables which ensuresthat in any computation, at most one of a set of variables is used.

Definition 5.1 Let v be a raw term. Say a set of variables V is crossed in v iffthere are subterms of v of the form tensor t ⊗ u, application t u, tensor match[u > x ⊗ y ⇒ t], or prefix match [u > !x ⇒ t], for which v has free occurrences ofvariables from V appearing in both t and u.

If the set {x, y} is not crossed in t(x, y) above, then t uses at most one of its inputsx, y in each computation; semantically, t is interpreted as a map P ⊗ P → Q of Affwhich behaves identically on input X ⊗ Y and X ⊗ ∅ + ∅ ⊗ Y for all X,Y ∈ P. Inthis case x : P ` t(x, x) : Q holds and is interpreted as the composition

PδP−→ P ⊗ P

t−→ Q (92)

—where δP : P → P⊗ P maps X to X ⊗∅ + ∅ ⊗X. We’ll write δkP : P → Pk for the

obvious generalisation to a k-fold tensor product Pk = P ⊗ · · · ⊗ P.We can now give the rule for recursively defined processes in Affine HOPLA:

Γ, x : P ` t : P {x, y} not crossed in t for any y in ΓΓ ` rec x.t : P

Γ ⊗ Pt−→ P

Γ fix F−−−→ P(93)

Here, fix F is the fixpoint in Aff(Γ, P) ∼= Γ ( P of the continuous operation Fmapping g : Γ → P in Aff to the composition

Γ δΓ−→ Γ ⊗ Γ 1Γ⊗g−−−→ Γ ⊗ Pt−→ P . (94)

5.2 Useful Identities

Counterparts of the results for HOPLA of Sect. 3.2 can now be proved for AffineHOPLA. In particular, a general substitution lemma can be formulated as follows:

Lemma 5.2 (Substitution) Suppose Γ, x1 : P, . . . , xk : P ` t : Q with {x1, . . . , xk}not crossed in t. If Λ ` u : P with Γ and Λ disjoint, then Γ,Λ ` t[u/x1, . . . , u/xk] : Qwith denotation given by the composition

Γ ⊗ Λ 1Γ⊗(δkP◦u)−−−−−−→ Γ ⊗ Pk t−→ Q . (95)

An easy induction on typing derivations shows that if Γ, x : P ` t : Q, then {x} isnot crossed in t, and so the substitution lemma specialises to

Corollary 5.3 If Γ, x : P ` t : Q and Λ ` u : P with Γ and Λ disjoint, then we haveΓ,Λ ` t[u/x] : Q with J(λx.t) uK = Jt[u/x]K.

24

Corollary 5.4 Suppose Γ, x : P ` t : P. Then Γ ` t[rec x.t/x] : P with Jrec x.tK =Jt[rec x.t/x]K.

Proof. We proceed as in the proof of Corollary 3.3, obtaining Γ′, x : P ` t′ : P andΓ′′, x : P ` t′′ : P with Γ′ and Γ′′ disjoint by renaming variables y of Γ to y′ and y′′.By the substitution lemma with k = 1, we get Γ′,Γ′′ ` t′[rec x.t′′/x] : P denoting

Γ′ ⊗ Γ′′ 1Γ′⊗rec x.t′′−−−−−−−→ Γ′ ⊗ Pt′−→ P . (96)

Now, since the sets {x, y} are not crossed in t, the sets {y′, y′′} are not crossed int′[rec x.t′′/x]. Hence, by repeated use of exchange and the substitution lemma withk = 2, we may perform substitutions [y/y′, y/y′′] to obtain Γ ` t[rec x.t/x] : P withdenotation

Γ δΓ−→ Γ ⊗ Γ 1Γ⊗rec x.t−−−−−−→ Γ ⊗ Pt−→ P . (97)

Again, this is the same as F (fix F ) = fix F , the denotation of rec x.t. 2

The properties of sums and prefixing are the same as for HOPLA.

Proposition 5.5 The tensor match satisfies

J[u1 ⊗ u2 > x ⊗ y ⇒ t]K = Jt[u1/x, u2/y]K (98)J[u > x ⊗ y ⇒ Σi∈Iti]K = JΣi∈I [u > x ⊗ y ⇒ ti]K (99)J[Σi∈Iui > x ⊗ y ⇒ t]K = JΣi∈I [ui > x ⊗ y ⇒ t]K if I 6= ∅ (100)

Further, if x1 and y1 are not free in t, then

J[[u1 > x1 ⊗ y1 ⇒ u2] > x2 ⊗ y2 ⇒ t]K= J[u1 > x1 ⊗ y1 ⇒ [u2 > x2 ⊗ y2 ⇒ t]]K . (101)

Proof. All the properties are consequences of tensor match being interpreted ascomposition in Aff . Equation (98) follows by exchange and two applications of thesubstitution lemma. The two distributive properties hold since composition f ◦ gin Aff is linear in f and affine in g. Finally, (101) follows from associativity ofcomposition. 2

5.3 Full Abstraction

As for HOPLA, we take a program to be a closed term t of type O⊥, but because oflinearity constraints, program contexts will now have at most one hole. Otherwise,the notion of contextual preorder is the same as in Sect. 3.3. Again, contextualequivalence coincides with path equivalence:

Theorem 5.6 (Full abstraction) For any terms Γ ` t1 : P and Γ ` t2 : P,

Jt1K ⊆ Jt2K ⇐⇒ t1 <∼ t2 . (102)

25

Proof. Path “realisers” and “consumers” are defined as in the proof of full abstrac-tion for HOPLA, restricting the terms t′P and C ′

P to the cases where P has at mostone element. Terms corresponding to paths of tensor type are defined by

tP⊗Q ≡ t′P ⊗ t′QCP⊗Q ≡ [− > x ⊗ y ⇒ [C ′

P (x) > !x′ ⇒ C ′Q(y)]]

(103)

For any p : P and P : P we then have (z being a fresh variable):

JtpK = yPp

Jt′P K = jPP

Jλz.Cp(z)K = yP(O⊥({p} 7→ ∅)Jλz.C ′

P (z)K = yP(O⊥(P 7→ ∅)(104)

We can now proceed as in the proof of Theorem 3.7. 2

5.4 Expressive Power

Subject to the linearity constraints on occurrences of variables, Affine HOPLA hasmuch of the expressive power of HOPLA. In particular, the calculi discussed inSects. 3.6.2 and 3.6.3 can be encoded with the restriction that no variable can occurfreely on both sides of a parallel composition. The prefixed sum Σα∈Aα.Pα standsfor Σα∈A(Pα)⊥ in Affine HOPLA. Prefixing β.t is still translated into β!t, but nowhas a different semantics. For example, by replacing !(−) with (−)⊥, the solutionof the equation (69) defining the type of CCS processes becomes isomorphic to thepartial order of strings over the alphabet of CCS actions. Thus, the semantics of CCSgiven by the translation into Affine HOPLA is a traditional trace semantics. This isillustrated by the fact that the two CCS processes α.β.∅+α.γ.∅ and α.(β.∅+γ.∅)are given the same semantics by the Affine HOPLA translation, but can be toldapart by the HOPLA context C〈α〉(〈β〉>∧〈γ〉>), see Sect. 3.5.

More interestingly, the tensor type of Affine HOPLA allows us to define processesof the kind encountered in treatments of nondeterministic dataflow [27], somethingwhich is not possible using HOPLA. To illustrate, define P recursively as the prefixedsum

P = α.P + β.P , (105)

so that P essentially consists of streams (or sequences) of α’s and β’s. We can thendefine dataflow processes whose properties can be determined from the above resultsabout the denotational semantics—in particular using Proposition 5.5:

• A process A of type P ⊗ P which produces two identical, parallel streams ofα’s and β’s as output:

A ≡ rec p.[p > x ⊗ y ⇒ (α.x ⊗ α.y) + (β.x ⊗ β.y)] . (106)

The denotation of A is the set of pairs (s, s′) with s and s′ strings of α’sand β’s, such that s is a prefix of s′ or vice versa. Notice the “entanglement”between the two sides of the tensor—choices made on one side affect choice onthe other.

26

• A process B of type P ( (P ⊗ P) which is like A, except it produces its twooutput streams as copies of the input stream:

B ≡ rec f.λz.[z > α.z′ ⇒ [f z′ > x ⊗ y ⇒ α.x ⊗ α.y]] +[z > β.z′ ⇒ [f z′ > x ⊗ y ⇒ β.x ⊗ β.y]] .

(107)

We have e.g. JB (α.β.∅)K = Jα.β.∅ ⊗ α.β.∅K and JB (α.∅ + β.∅)K = Jα.∅ ⊗α.∅ + β.∅ ⊗ β.∅K, the latter not containing “cross terms” like α.∅ ⊗ β.∅.

• A process C of type (P ⊗ P) ( P which merges two streams into one:

C ≡ rec f.λz.[z > x ⊗ y ⇒ [x > α.x′ ⇒ α.f (y ⊗ x′)] +[x > β.x′ ⇒ β.f (y ⊗ x′)]] .

(108)

We have e.g. JC (α.α.∅ ⊗ β.β.∅)K = Jα.β.α.β.∅K.

A “trace operation” to represent dataflow processes with feedback loops is not de-finable in Affine HOPLA, because then we would have obtained a compositionalrelational semantics of nondeterministic dataflow with feedback, shown impossibleby Brock and Ackerman [9]. However, with a more refined notion of “relation”, whichspells out the different ways in which input and output of a dataflow process arerelated, such a semantics is in fact possible [23].

6 Related Work

We conclude by setting the specific results of this paper in the context of what wesee as a promising broader enterprise towards a full domain theory for concurrency.

6.1 Presheaf Semantics

We have investigated the path semantics of HOPLA and Affine HOPLA. In realityHOPLA and Affine HOPLA were discovered within a more informative domaintheory than that based on path sets. As remarked earlier, the domain of path sets P,of a path order P, is isomorphic to characteristic functions [Pop,2], ordered pointwise.In modelling a process as a path set we are in effect representing a process by acharacteristic function from paths to truth values 0 < 1. If instead of these simpletruth values we take sets of realisers, replacing 2 by the category of sets Set, weobtain a functor category [Pop,Set], whose objects, traditionally called presheaves,provide an alternative “domain” of meanings; now a process denotes a presheaf inwhich a path is associated with the set of elements standing for the ways in whichthe path can be realised.

For the presheaf semantics of HOPLA we can obtain a more refined adequacyresult than that for the path semantics: Letting ` t : !P, the set of realisers JtK(∅)corresponds to the set of derivations of !P : t

!−→ t′ : P. In fact, a guiding principle indesigning the operational semantics has been that derivations of transitions of whichthe actions are essentially paths should correspond to the realisers associated to thepath in the denotational semantics; this generally determines the form of rules.

A presheaf captures the nondeterministic branching of a process and a presheafsemantics can support equivalences such as forms of bisimulation which are sensitive

27

to the branching behaviour of processes. Though here our understanding of the roleof open maps and open map bisimulation, intrinsic to presheaf models [26], is veryincomplete.

The presheaf semantics helps expose a range of possible pseudo comonads withwhich to interpret !P [15, 40].

6.2 Powerdomains

The adjunction between Lin and Cts, key to our semantics of HOPLA, determinesa monad, the monad of the “Hoare powerdomain” [52]. The adjunction between Linand Cts is of the kind already studied in the early work of Hennessy and Plotkin [20];they were concerned with adjunctions between categories of nondeterministic cposand categories of cpos associated with a variety of powerdomains. This was in thedays prior to linear logic. But models of linear logic are obtained by cutting downtheir adjunctions.

Like the model of linear logic formed from Lin and Cts, we expect that eachmodel furnishes a denotational semantics of HOPLA. Presumably there are full ab-straction results companion to that here based on detecting the “must” as well as“may” behaviour of processes. Just as there is an abstraction function from the pre-sheaf semantics of HOPLA to its path semantics (induced by sending nonempty setsof realisers to 1 and the empty set to 0), so can we expect other abstraction functionsfrom the presheaf semantics to other powerdomain semantics. But presently all thisis conjectural.

Note that this use of powerdomains doesn’t fit the original pattern proposed forhandling concurrency via a recursively defined powerdomain of resumptions [46];rather one defines domains of paths recursively and only then adjoins nondetermin-ism.

6.3 An Underlying Language?

Most process languages have developed incrementally, based on previously knownlanguages. Even HOPLA and Affine HOPLA are essentially lambda-calculi extendedby nondeterministic sum and prefix operations (though the latter are understood asarising from a comonad associated with models of linear logic). Proof theory isbeginning to influence ideas on the nature of processes. A recent impetus has beenthe discovery of linear logic, a discovery founded on the domain theory of coherencespaces with linear and stable maps [19]. Similarly we can hope that a persuasivemathematical model of processes can guide us towards a fuller understanding ofprocesses and their syntax.

We have a rich model in the linear category analogous to Lin but based onpresheaves rather than path sets. Just as maps in Lin correspond to relations, theanalogous maps correspond to profunctors, a generalisation of relations (see e.g. [7]for an elementary introduction to profunctors, there called “distributors”). The bi-category of profunctors Prof is analogous to Lin.5 Like Lin the bicategory Profhas an involution so that maps f : P → Q correspond to their dual f⊥ : Q⊥ → P⊥.

5The bicategory Prof is equivalent to the 2-category in which maps are colimit-preserving func-tors between presheaf categories, perhaps a more immediate analogue of Lin.

28

Indeed, again just as in Lin, a map f : P → Q corresponds to a map f ′ : P×Q⊥ → 1,in which we have “dualised” the output to input.

It is because of this duality that open maps and open-map bisimulation forhigher-order processes take as much account of input as they do output. Most oftentwo higher-order processes are defined to be bisimilar iff they yield bisimilar outputson any common input. But this simply won’t do within a type discipline in which allnontrivial output can be “dualised” to input. On the other hand, traditional processlanguages and their types don’t support this duality.

One line towards understanding open-map bisimulation at higher order is to de-sign a process language in which this duality is present. The language could supportthe types of Prof extended by a suitable pseudo comonad. Ideally one would obtaina coinductive charactisation of open map bisimulation at higher order based on anoperational semantics. (The mathematics for this enterprise is developed in [15].)

6.4 Affine Models

Linear maps alone are too restrictive to support a semantics of processes. To do sothey must be moderated through the use of a (pseudo) comonad, the simplest ofwhich is lifting.

There is a category analogous to Aff based on presheaves rather than pathsets; its maps preserve connected colimits in presheaf categories [40, 15]. This affinecategory is host to the semantics of nondeterministic dataflow [23], event-structuresemantics of CCS and related languages [12] as well as a semantics for Affine HOPLA.

It came as a recent surprise [43] that the presheaf denotations of first-orderprocesses in Affine HOPLA can be represented by event structures; the elements ofdefinable presheaves can be understood as finite configurations of an event structure.In more detail, maps definable in Affine HOPLA by open terms can be representedby certain spans of event structures with composition given by pullbacks. This shedslight on the tensor operation and the form of entanglement associated with it, reveal-ing the tensor as a form of parallel composition of event structures and entanglementas a pattern of concurrency/conflict. The event-structure semantics extends to alltypes, so higher-order processes. Though, as one would expect, the event-structuresemantics diverges from the presheaf semantics at higher-order; the event-structuresemantics is analogous to stable domain theory [6].

As mentioned above, we can define a semantics for CCS using Affine HOPLAsubject to certain restrictions on occurrences of variables. Unfortunately, one canshow the event-structure denotations of Affine HOPLA are too impoverished tocoincide with the standard “true concurrency” semantics of CCS as e.g. given in[54]. A language must go beyond Affine HOPLA if it is to express such semantics.Guidelines on what’s lacking in Affine HOPLA can be got from work on presheafmodels for concurrency [12], where the ingredients of product of presheaves, pom-set augmentation and cartesian liftings (extending the match operators of AffineHOPLA) all play a critical role. This work suggests exploring other event-structurerepresentations, based on more general spans of event structures, and perhaps a newcomonad yielding a less rigid form of prefixing.

As a general point, the affine category based on presheaves is very rich in struc-ture and supports a great many mathematical constructions which lie outside the

29

scope of the present syntax of Affine HOPLA.An operational semantics for the tensor-fragment of Affine HOPLA (leaving out

function space) was given in [40]. But it has proved very challenging to extend thisto higher order. Linearity obliges us to work with rather complicated environments,and entanglement of terms of tensor type in the execution of processes. (Note thatthe simplifying equation (100) is not valid in the presheaf semantics, not even upto isomorphism, because there, affine maps preserve connected colimits, and anynontrivial sum is manifestly not connected.) It is the interaction of the environmentswith higher-order processes which has been problematic in giving an operationalsemantics to full Affine HOPLA.

However the event-structure denotational semantics of Affine HOPLA suggestsan alternative operational semantics obviating the need for complicated environ-ments. It is at the cost of having transitions between open terms. Taking advan-tage of stability, the configurations of an event structure representing an open termx : P ` t : Q, will be associated with both an output q ∈ Q and a minimal input,P ∈ P⊥ necessary for that output. The idea is that such a configuration will corre-spond to a derivation in the operational semantics of a transition x : P ` t

q−→ t′ [43].

6.5 Name Generation

Process languages often follow the pioneering work on the π-calculus and allowname generation. HOPLA can be extended to encompass such languages [55]. Theextensions are to add a type of names N , function spaces, as well as a type δPsupporting new-name generation through the abstraction new x.t. The denotationalsemantics of the extension to name generation is currently being developed; thisaddresses the question of when function spaces exist in the obvious model (extendingthat of [13]). There is already an operational semantics; it is like that of HOPLAbut given at stages indexed by the current set of names.

Acknowledgments. The authors are glad to take this opportunity, that of DanaScott’s retirement, to express their indebtedness to Dana Scott for his pioneeringand visionary work in logic and computation. GW would like to add his gratitudefor many past kindnesses.

References

[1] S. Abramsky. The lazy lambda calculus. In D. Turner, editor. Research Topicsin Functional Programming. Addison-Wesley, 1990.

[2] S. Abramsky. Computational interpretations of linear logic. Theoretical Com-puter Science, 111(1–2):3–57, 1993.

[3] S. Abramsky. Game semantics for programming languages. In Proc. MFCS’97,LNCS 1295.

[4] N. Benton, G. Bierman, V. de Paiva and M. Hyland. Linear λ-calculus andcategorical models revisited. In Proc. CSL’92, LNCS 702.

30

[5] P. N. Benton. A mixed linear and non-linear logic: proofs, terms and models(extended abstract). In Proc. CSL’94, LNCS 933.

[6] G. Berry. Modeles completement adequats et stables des lambda-calculs types.These de Doctorat d’Etat, Universite Paris VII, 1979.

[7] F. Borceux. Handbook of Categorical Algebra I. Basic Category Theory. Cam-bridge University Press, 1994.

[8] T. Brauner. An Axiomatic Approach to Adequacy. Ph.D. Dissertation, Univer-sity of Aarhus, 1996. BRICS Dissertation Series DS-96-4.

[9] J. D. Brock and W. B. Ackerman. Scenarios: a model of non-determinate com-putation. In Proc. Formalization of Programming Concepts 1981, LNCS 107.

[10] L. Cardelli and A. D. Gordon. Anytime, anywhere: modal logics for mobileambients. In Proc. POPL’00.

[11] L. Cardelli and A. D. Gordon. A commitment relation for the ambient calculus.October 6th, 2000. Available from http://research.microsoft.com/~adg/.

[12] G. L. Cattani and G. Winskel. Presheaf models for concurrency. In Proc.CSL’96, LNCS 1258.

[13] G. L. Cattani, I. Stark and G. Winskel. Presheaf models for the π-calculus. InProc. CTCS’97, LNCS 1290.

[14] G. L. Cattani. Presheaf Models for Concurrency. Ph.D. Dissertation, Universityof Aarhus, 1999. BRICS Dissertation Series DS-99-1.

[15] G. L. Cattani and G. Winskel. Profunctors, open maps and bisimulation.Manuscript, 2003. Available from http://www.cl.cam.ac.uk/~gw104/.

[16] F. Crazzolara and G. Winskel. Events in security protocols. In Proc. 8th ACMConference on Computer and Communication Security, 2001.

[17] J. B. Dennis. Data flow computation. In M. Broy, editor. Control Flow andData Flow: Concepts of Distributed Programming. Springer-Verlag, 1985.

[18] S. Furber, editor. Proc. Eighth International Symposium on Asynchronus Cir-cuits and Systems. IEEE, 2002.

[19] J.-Y. Girard. Linear logic. Theoretical Computer Science, 50(1):1–102, 1987.

[20] M. C. B. Hennessy and G. D. Plotkin. Full abstraction for a simple parallelprogramming language. In Proc. MFCS’79, LNCS 74.

[21] M. Hennessy and R. Milner. Algebraic laws for nondeterminism and concur-rency. Journal of the ACM, 32(1):137–161, 1985.

[22] M. Hennessy. A fully abstract denotational model for higher-order processes.Information and Computation, 112(1):55–95, 1994.

31

[23] T. Hildebrandt, P. Panangaden and G. Winskel. A relational model of non-deterministic dataflow. In Proc. CONCUR’98, LNCS 1466.

[24] C. A. R. Hoare. Some properties of predicate transformers. Journal of theACM, 25(3):461–480, 1987.

[25] B. Jacobs. Semantics of weakening and contraction. Annals of Pure and AppliedLogic, 69(1):73–106, 1994.

[26] A. Joyal, M. Nielsen, and G. Winskel. Bisimulation from open maps. Informa-tion and Computation, 127:164–185, 1996.

[27] G. Kahn. The semantics of a simple language for parallel programming. Infor-mation Processing, 74:471–475, 1974.

[28] G. M. Kelly. Doctrinal adjunction. In Proc. Category Seminar. Sydney 1972/73,LNM 420.

[29] L. Lamport. Time, clocks, and the ordering of events in a distributed system.Communications of the ACM, 21(7):558–565, 1978.

[30] K. G. Larsen and G. Winskel. Using information systems to solve recursive do-main equations effectively. In Proc. Semantics of Data Types, 1984, LNCS 173.

[31] S. Mac Lane. Categories for the Working Mathematician. Second edition,Springer, 1998.

[32] G. McCusker. A fully abstract relational model of Syntactic Control of Inter-ference. In Proc. CSL’02, LNCS 2471.

[33] P.-A. Mellies. Categorical models of linear logic revisited. Submitted to Theo-retical Computer Science, 2002.

[34] R. Milner. A Calculus of Communicating Systems. LNCS 92, Springer-Verlag,1980.

[35] R. Milner. Communication and Concurrency. Prentice Hall, 1989.

[36] R. Milner, J. Parrow and D. Walker. A calculus of mobile processes, parts Iand II. Information and Computation, 100(1):1–77, 1992.

[37] R. Milner. Communicating and Mobile Systems: the π-Calculus. CambridgeUniversity Press, 1999.

[38] J. H. Morris. Lambda-Calculus Models of Programming Languages. PhD thesis,MIT, 1968.

[39] M. Nielsen, G. Plotkin and G. Winskel. Petri nets, event structures and do-mains, part I. Theoretical Computer Science, 13(1):85–108, 1981.

[40] M. Nygaard and G. Winskel. Linearity in process languages. In Proc. LICS’02.

32

[41] M. Nygaard and G. Winskel. HOPLA—a higher-order process language. InProc. CONCUR’02, LNCS 2421.

[42] M. Nygaard and G. Winskel. Full abstraction for HOPLA. In Proc. CON-CUR’03, LNCS 2761.

[43] M. Nygaard. Domain Theory for Concurrency. Ph.D. Dissertation, Universityof Aarhus, 2003. Available from http://www.daimi.au.dk/~nygaard/.

[44] D. Park. Concurrency and automata on infinite sequences. In Proc. TheoreticalComputer Science: 5th GI-Conference, LNCS 104, 1981.

[45] D. A. Peled, V. R. Pratt and G. J. Holzmann, editors. Proc. Partial OrderMethods in Verification 1996. DIMACS 29, American Mathematical Society,1997.

[46] G. Plotkin. A powerdomain construction. SIAM Journal on Computing,5(3):452–487, 1976.

[47] D. Sangiorgi and D. Walker. The π-calculus. A Theory of Mobile Processes.Cambridge University Press, 2001.

[48] D. S. Scott. Domains for denotational semantics. In Proc. ICALP’82, LNCS 140.

[49] R. A. G. Seely. Linear logic, ∗-autonomous categories and cofree coalgebras. InProc. Categories in Computer Science and Logic, 1987, Contemporary Mathe-matics 92.

[50] F. Javier Thayer, J. C. Herzog and J. D. Guttman. Strand spaces: why is asecurity protocol correct? In Proc. IEEE Symposium on Security and Privacy1998.

[51] B. Thomsen. A calculus of higher-order communicating systems. In Proc.POPL’89.

[52] G. Winskel. On powerdomains and modality. Theoretical Computer Science,36:127–137, 1985.

[53] G. Winskel. The Formal Semantics of Programming Languages. An Introduc-tion. The MIT Press, 1993.

[54] G. Winskel and M. Nielsen. Models for concurrency. In S. Abramsky et al,editors. Handbook of Logic in Computer Science. Volume 4. Semantic Modelling.Oxford University Press, 1995.

[55] G. Winskel and F. Zappa Nardelli. Manuscript, 2003.

33

A Proof of Soundness

We want to show that if P : ta−→ t′ : P′, then J!t′K ⊆ a∗JtK. The proof is by rule-

induction on the transition rules:

Recursive definition. If P : rec x.ta−→ t′ : P′ we have P : t[rec x.t/x] a−→ t′ : P′ as

premise. By the induction hypothesis and Corollary 3.3,

J!t′K ⊆ a∗Jt[rec x.t/x]K = a∗Jrec x.tK . (109)

Nondeterministic sum. If P : Σi∈Itia−→ t′ : P′ we have the premise P : tj

a−→ t′ : P′ forsome j ∈ I. By the induction hypothesis and linearity of a∗,

J!t′K ⊆ a∗JtjK = Ja∗tjK ⊆ JΣi∈Ia∗tiK = a∗JΣi∈ItiK . (110)

Abstraction. If P → Q : λx.tu 7→a−−−→ t′ : P′ we have Q : t[u/x] a−→ t′ : P′ as premise. By

the induction hypothesis and Corollary 3.2,

J!t′K ⊆ a∗Jt[u/x]K = a∗J(λx.t) uK = (u 7→ a)∗Jλx.tK . (111)

Application. If Q : t ua−→ t′ : P′ we have the premise P → Q : t

u 7→a−−−→ t′ : P′. By theinduction hypothesis,

J!t′K ⊆ (u 7→ a)∗JtK = a∗Jt uK . (112)

Injection. If Σα∈APα : βtβa−→ t′ : P′ we have the premise Pβ : t

a−→ t′′ : P′. By theinduction hypothesis and Proposition 3.4,

J!t′K ⊆ a∗JtK = a∗Jπβ(βt)K = (βa)∗JβtK . (113)

Projection. If Pβ : πβta−→ t′ : P′ we have the premise Σα∈APα : t

βa−→ t′ : P′. By theinduction hypothesis,

J!t′K ⊆ (βa)∗JtK = a∗JπβtK . (114)

Prefixing. Consider the transition !P : !t !−→ t : P. By definition, !∗J!tK = J!tK, a subsetof itself.

Prefix match. If Q : [u > !x ⇒ t] a−→ t′ : P′ we have the premises !P : u!−→ u′ : P and

Q : t[u′/x] a−→ t′ : P′. By the induction hypothesis for u,

J!u′K ⊆ !∗JuK = JuK (115)

Now by the induction hypothesis for t, Proposition 3.5 and monotonicity,

J!t′K ⊆ a∗Jt[u′/x]K = a∗J[!u′ > !x ⇒ t]K ⊆ a∗J[u > !x ⇒ t]K . (116)

Fold. If µj~T .~T : abs t

abs a−−−→ t′ : P′ we have the premise Tj[µ~T .~T/~T ] : ta−→ t′ : P′. By

the induction hypothesis and since abs and rep are inverses,

J!t′K ⊆ a∗JtK = a∗Jrep(abs t)K = (abs a)∗Jabs tK . (117)

Unfold. If Tj[µ~T .~T/~T ] : rep ta−→ t′ : P′ we have the premise µj

~T .~T : tabs a−−−→ t′ : P′.

By the induction hypothesis,

J!t′K ⊆ (abs a)∗JtK = a∗Jrep tK . (118)

The rule-induction is complete. 2

34

B Proof of Adequacy (Main Lemma)

For the proof of Lemma 3.11 we need two technical results, which can both be provedby induction on the structure of paths. One says that εP is closed on the left by ≤P,the other that εP is closed on the right by the relation <∼1, defined by t1 <∼1 t2 iffP : t1

a−→ t′ : P′ implies P : t2a−→ t′ : P′.

Lemma B.1 If p ≤P p′ and p′ εP t, then p εP t.

Lemma B.2 If p εP t1 and t1 <∼1 t2, then p εP t2.

It follows from Lemma B.1 that for any subset X of P we have X EP t iff thedown-closure of X, written X , satisfies X EP t.

The proof of Lemma 3.11 proceeds by structural induction on terms using theinduction hypothesis

Suppose x1 : P1, . . . , xk : Pk ` t : P and let ` sj : Pj with Xj EPj sj for1 ≤ j ≤ k. Then JtK(X1, . . . , Xk) EP t[s1/x1, . . . , sk/xk].

We’ll abbreviate x1 : P1, . . . , xk : Pk to Γ, (X1, . . . , Xk) to X, and the substitution[s1/x1, . . . , sk/xk] to [s]. Lemma B.2 will be used freely below.

Variable. Let Γ ` xj : Pj, with j between 1 and k, and ` sj : Pj with Xj EPj sj for1 ≤ j ≤ k. We must show that JxjKX EPj xj [s]. Now, JxjKX = Xj and xj[s] ≡ sj sothis amounts to Xj EPj sj which by the remarks above is equivalent to Xj EPj sj.

Recursive definition. Let Γ ` rec x.t : P and ` sj : Pj with Xj EPj sj for 1 ≤ j ≤ k.We must show that Jrec x.tKX EP rec x.t[s]. Now, Jrec x.tKX = (fix F )X where Fmaps g : Γ → P to the composition

Γ ∆Γ−−→ Γ & Γ 1Γ&g−−−→ Γ & Pt−→ P . (119)

We’ll show by induction on n that Fn(∅)X EP rec x.t[s] for all n ∈ ω. Having doneso we may argue as follows: Since

Jrec x.tKX = (fix F )X = (⋃

n∈ω Fn∅)X =⋃

n∈ω ((Fn∅)X) , (120)

we have that p ∈ Jrec x.tKX implies the existence of an n ∈ ω such that p ∈ (Fn∅)X.Therefore Jrec x.tKX EP rec x.t[s] as wanted.

Basis. Here, (F 0∅)X = ∅. By definition of EP we get ∅ EP t for any type P andterm ` t : P.

Step. Suppose (Fn∅)X EP rec x.t[s]. By the assumption of the lemma, Xj EP sj foreach 1 ≤ j ≤ k, and so by the induction hypothesis of the structural induction,

JtK(X, (Fn∅)X) EP t[s][rec x.t[s]/x] . (121)

So if p ∈ (Fn+1∅)X, then since (Fn+1∅)X = JtK(X, (Fn∅)X) we have p εP

t[s][rec x.t[s]/x]. By the transition rules we have t[s][rec x.t[s]/x] <∼1 rec x.t[s], and sop εP rec x.t[s]. We conclude (Fn+1∅)X EP rec x.t[s] and the mathematical inductionis complete.

35

Nondeterministic sum. Let Γ ` Σi∈Iti : P and ` sj : Pj with Xj EPj sj for 1 ≤ j ≤ k.We must show that JΣi∈ItiKX EP Σi∈Iti[s]. Now, JΣi∈ItiKX = Σi∈IJtiKX. So ifp ∈ JΣi∈ItiKX, there exists j ∈ I with p ∈ JtjKX. Using the induction hypothesis fortj we have p εP tj[s]. By the transition rules, tj[s] <∼1 Σi∈Iti[s] and so p εP Σi∈Iti[s]as wanted.

Abstraction. Let Γ ` λx.t : P → Q and ` sj : Pj with Xj EPj sj for 1 ≤ j ≤ k.We must show that Jλx.tKX EP→Q (λx.t)[s]. So let P 7→ q ∈ Jλx.tKX. By thedenotational semantics, we then have q ∈ JtK(X, iPP ). We must show that P 7→q εP→Q (λx.t)[s]. So suppose ` u : P with P EP u. We must then show q εQ

(λx.t)[s] u. By the transition rules, t[s][u/x] <∼1 (λx.t)[s] u and so it is sufficient toshow q εQ t[s][u/x]. Now, by the induction hypothesis, we know that JtK(X, iPP ) EQ

t[s][u/x] and so, with q ∈ JtK(X, iPP ), we are done.

Application. Let Γ ` t u : Q and ` sj : Pj with Xj EPj sj for 1 ≤ j ≤ k. Wemust show that Jt uKX EQ (t u)[s]. So suppose q ∈ Jt uKX. By the denotationalsemantics, there exists P ∈ !P such that P 7→ q ∈ JtKX and P ⊆ JuKX. By theinduction hypothesis for t, we have JtKX EP→Q t[s] and so P 7→ q εP→Q t[s]. Thismeans that given any ` u′ : P with P EP u′, we have q εQ t[s] u′. Now using theinduction hypothesis for u we get that JuKX EP u[s] and so, since P ⊆ JuKX, wehave P EP u[s] so that q EQ t[s] u[s] ≡ (t u)[s] as wanted.

Injection. Let Γ ` βt : Σα∈APα and ` sj : Pj with Xj EPj sj for 1 ≤ j ≤ k. Wemust show that JβtKX EΣα∈APα (βt)[s]. So suppose βp ∈ JβtKX; by the denotationalsemantics, p ∈ JtKX. We must then show that βp εΣα∈APα (βt)[s] which means thatp εPβ

πβ(βt[s]). By the transition rules, we have t[s] <∼1 πβ(βt[s]) so it is sufficientto show that p εPβ

t[s]. By the induction hypothesis, JtKX EPβt[s] and so, since

p ∈ JtKX we have p εPβt[s] as wanted.

Projection. Let Γ ` πβt : Pβ with Γ ` t : Σα∈APα and β ∈ A, and ` sj : Pj

with Xj EPj sj for 1 ≤ j ≤ k. We must show that JπβtKX EPβπβt[s]. So suppose

p ∈ JπβtKX; by the denotational semantics, βp ∈ JtKX. By the induction hypothesis,JtKX EΣα∈APα t[s] and so βp εΣα∈APα t[s] which means that p εPβ

πβt[s] as wanted.

Prefixing. Let Γ ` !t : !P and ` sj : Pj with Xj EPj sj for 1 ≤ j ≤ k. We mustshow that J!tKX E!P !t[s]. So suppose P ∈ J!tKX; by the denotational semantics,P ⊆ JtKX. We must then show that P ε!P !t[s], and so since the transition rulesprovide a derivation !P : !t[s] !−→ t[s] : P, that P EP t[s]. Now, by the inductionhypothesis, JtKX EP t[s] and so, since P ⊆ JtKX we have P EP t[s] as wanted.

Prefix match. Let Γ ` [u > !x ⇒ t] : Q and ` sj : Pj with Xj EPj sj for 1 ≤ j ≤ k.By renaming x if necessary, we may assume that x is not one of the xj . We must showthat J[u > !x ⇒ t]KX EQ [u > !x ⇒ t][s]. So suppose q ∈ J[u > !x ⇒ t]KX; by thedenotational semantics, there exists P ∈ !P such that q ∈ JtK(X, iPP ) and P ∈ JuKX.By the induction hypothesis for u we have JuKX E!P u[s] and so since P ∈ JuKX,there exists u′ such that !P : u[s] !−→ u′ : P and P EP u′. Hence, by the inductionhypothesis for t we have JtK(X, iPP ) EQ t[s][u′/x] and so since q ∈ JtK(X, iPP ) wehave q εQ t[s][u′/x]. Now, by the transition rules, t[s][u′/x] <∼1 [u > !x ⇒ t][s] andso q εQ [u > !x ⇒ t][s] as wanted.

36

Fold. Let Γ ` abs t : µj~T .~T and ` sj : Pj with Xj EPj sj for 1 ≤ j ≤ k. We must

show that Jabs tKX Eµj~P .~T abs t[s]. So suppose abs q ∈ Jabs tKX such that q ∈ JtKX.

By the induction hypothesis, q εTj [µ~T .~T/~T ] t[s] and since t[s] <∼1 rep abs t[s], we have

q εTj [µ~T .~T/~T ]

rep abs t[s] which means that abs q εµj

~P .~Tabs t[s] as wanted.

Unfold. Let Γ ` rep t : Tj[µ~T .~T/~T ] and ` sj : Pj with Xj EPj sj for 1 ≤ j ≤ k.We must show that Jrep tKX E

Tj [µ~T .~T/~T ] rep t[s]. So suppose q ∈ Jrep tKX such thatabs q ∈ JtKX. By the induction hypothesis, abs q εµj

~T .~T t[s] and so q εTj [µ~T .~T/~T ]

rep t[s] as wanted.

The structural induction is complete. 2

37